The iPhone 5s and newer, iPad Air 2 and newer, and iPad mini 3 and newer comes equipped with Touch ID, a fingerprint scanner. According to this article the sensor is bound to each device uniquely. This means that Touch ID sensors seem to be tied to specific devices somehow similar to HDMI protected media path.

However there is a private API for it; its dylib file is in Xcode 5 in the path Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk/System/Library/PrivateFrameworks/BiometricKit.framework/BiometricKit

As of iOS 8, the dylib has been removed from the iOS SDK, and has been replaced by a stub (containing symbols, but no code). The dylib can still be obtained easily from the dyld_shared_cache on the device. Code is ARM64, but can be disassembled by newer versions of IDA (6.4) or NewOSXBook.com's jtool.

Process

Fingerprint Registration Process

The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).

The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).

The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).

The SEP stores this picture as a so-called template. Then it constructs a lower resolution version: a histogram of the most common ridge angles storing it together with the higer resolution template in the Secure Enclave.

The SEP sends the lower resolution version to the main CPU.

The main CPU stores the lower resultion version in a database (for a later authentication).

Fingerprint Authentication Process

The fingerprint sensor detects an object to scan (activated via the 'metal ring' around the home button).

The fingerprint sensor starts the scan - basically it takes a picture of the finger (UIImage).

The picture is transferred to the Secure Enclave Processor (SEP) over an an encrypted dataline (similar to HDMI protected media path).

The SEP constructs a lower resolution version: a histogram of the most common ridge angles.

The SEP sends the lower resolution version to the main CPU.

The main compares the the lower resolution version for possible matches in its database.

The main sends possible matches back to SEP or the authentication is rejected if no matches are found.

The SEP takes the matches received by the main CPU and compares the initial image to high resolution versions of the received matches from main CPU.

Access is granted in case of positive comparison or rejected in case of negative comparison.

Inferred Information

Based on a string dump, here is what is implied.

Its codename is "mesa"

It communicates over XPC to a binary that handles access to it

There are kernel extensions to interface with it

The kernel extension communicates to the secure keystore to set and verify fingerprints

The A7 chip contains a secure element marketed as the Secure Enclave. The string dump refers to SEP, the Secure Element Protocol. This chip is most likely one sourced from NXP. It contains physical security to ensure that the only operations of the chip involve setting new fingerprints and verifying fingerprints against the ones stored in it (i.e. challenge-response). This way, the fingerprint data cannot be extracted from it.

String Dump

Below there is a full string dump of the framework, which can hint at its functionalities.